Thanks for the tip, Bruce. -------------------------------------------------- From: "Bruce Johnson" <[EMAIL PROTECTED]> Sent: Thursday, September 04, 2008 10:03 AM To: <[email protected]> Subject: Re: Remote connection question
> > > On Sep 4, 2008, at 9:00 AM, Andrew Le wrote: > >> >> Hi, >> >> I have a similar situation. >> >> Say I have Verizon DSL modem/router. >> >> And I have say two Macs connected to it with internal IPs (192.*.*.*). >> >> The modem itself has an external IP, but don't I need to configure >> the modem >> itself so that my two Macs have separate external IPs known to the >> world so >> I can access (say SSH into them) from the outside world? >> >> I've not been able to figure this out yet. > > You can't. You only have one external IP address, what you do is this: > > Go into your router's NAT setup and forward the SSH port (port 22) to > one of the intenral IP addresses. To accomplish this, you'll also have > to assign static internal addresses to the Macs as well, Most of these > routers support a chunk of their address space as static, see the > documentation for your router. > > Once NAT forwarding is set to one of the Macs, you can ssh to it from > the outside world. > > THEN you ssh from that mac to the other one. > > Some suggested ssh hacks enabled by editing /etc/sshd_config > > change the line > > Protocol 1,2 > > to: > > Protocol 2 > > This prevents ssh from connecting with an old, vulnerable protocol. > "Protocol 2" is now the default. > > And somewhere in there add the line: > > AllowUsers <usernames of users allowed to log in> > > If you look in your security log, (viewable in Consol under Var/ > log>secure.log) you will likely see scads of failed login attempts. > (these are pretty much all skriptkiddies spamming for vulnerable > machines, attempting logins under common vulnerable usernames) > AllowUsers is a belt&suspenders approach to blocking potential > attackers. > > If you want a little more security, change the standard port from 22 > to something else. > > This discourages the automated attacks. > > A determined attacker can always scan a system to determine what port > sshd is answering on, so it's only a mild precaution, but in general > ssh is pretty tight. By default on a stock install of OS X you're > battened down quite tightly. > > The vulnerabilities arise when people start installing their own > network services and things like PHP on their own, forgetting to > change default passwords and such like. > > If you look in secure.log (filter on the string ' error: PAM: > Authentication failure') you'll see scads of failed logins. I get > hundreds a day from skriptkiddie attacks. > > > -- > Bruce Johnson > University of Arizona > College of Pharmacy > Information Technology Group > > Institutions do not have opinions, merely customs > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to Low End Mac's iMac List, a group for those using G3, G4, G5, and Intel Core iMacs as well as Apple eMacs. The list FAQ is at http://lowendmac.com/imac/list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/imaclist?hl=en Low End Mac RSS feed at feed://lowendmac.com/feed.xml -~----------~----~----~----~------~----~------~--~---
